More on Ext file systems

•Journaling

•Ext4 attributes

31

More Linux file systems

•Other filesystems relevant on Linux:

–btrfs

–xfs

32

The Sleuth kit (TSK)

•The Sleuth kit tools for accessing the file system

–work on images (raw, EWF, and other) to give information on partitions, inodes, and files

–examples

•mmls: show partition table

•ils: show inode content

•fls: show file system content

33

Mounting file systems

•mount command is used to access file systems

–e.g.: mount /dev/sdb1 /mountpoint

•the mount command without arguments shows all mounted file systems

•umount command to unmount

–umount <device_name_or_mount_point>

•TODO: screenshots

34

Mounting file systems

•to mount the only partition of an image file

–mount image.dd /mountpoint

–in older versions of mount you might need to add the option '-o loop'

•to mount a partition from an image file:

–locate offset of partition: use tool to display partition table (gives offset in sectors)

–mount -o offset=offset_in_bytes image.dd /mp

35

Mounting file systems

•The mount command can only mount raw images

•Images in "Expert Witness Format" (EWF; file extension E01) need to be converted using

–ewfmount * **

–xmount **

–ewfconvert *

* Part of ewf-tools package ** on-the-fly conversion

36

Summary

•Ext is the standard file system for Linux and Android

•Three major versions in use (2, 3 and 4)

•Forensic tools analyse the superblock, block group descriptors, and inodes to recover information from the file system

37

References & Resources

•The Linux Kernel (Chapter 9), The Linux Documentation Project, http://www.tldp.org/LDP/tlk/fs/filesystem.html

38